So ... I just downloaded a Debian Sarge CD image, checked the MD5 sum was okay, and then just for completeness figured I'd check the GPG signature on the MD5 sums file ...
GPG told me I needed DSA key id 88C7C1F7 to verify the signature ... http://www.debian.org/CD/faq/#verify tells me I can get the Debian keys from http://ftp.debian.org/debian/doc/ ... where the Debian keyring is available for download as a gzip'ed file that's 13.1Mb in size ! Do I *really* need to add such a large keyring to my own keyring, just to verify the dang GPG signature on a CD image ? This is not good ....... I assume the "Debian keyring" contains the public keys of every Debian developer there has ever been. Surely there is a release-signing key that Debian uses, that could be posted separately for download ? Cheers, Nick Boyce -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]